Tropic Trooper ditches Cobalt Strike for AdaptixC2 - new campaign against Taiwan, South Korea, and Japan uses trojanized SumatraPDF, GitHub C2, and VS Code tunnels for remote access

Zscaler ThreatLabz attributed a March 12 campaign to Tropic Trooper (APT23, Earth Centaur, KeyBoy, Pirate Panda), the China-linked group active since 2011. The new wave targets Chinese-speaking users in Taiwan plus targets in South Korea and Japan with AUKUS-themed lures. Two notable changes: a custom AdaptixC2 Beacon listener instead of Cobalt Strike, and GitHub Issues as the C2 channel. The dropper is a trojanized SumatraPDF reader that runs a TOSHIS-variant shellcode loader and drops AdaptixC2 in memory. For high-value victims, operators push VS Code and configure a tunnel ('code tunnel user login --provider github') for full remote access.

Check

Hunt your fleet for unexpected VS Code tunnel sessions from non-developer endpoints and block 'code tunnel user login' outside approved developer accounts.

Affected

Organizations with operations or staff in Taiwan, South Korea, or Japan working on Indo-Pacific security, defense policy, or AUKUS-adjacent topics. Any environment where VS Code is broadly installed (including non-developer roles) is exposed to the tunnel pivot. The trojanized SumatraPDF binary keeps the original signature structure intact in some samples.

Fix

Block .exe masquerading as documents at email and web gateways. Alert on encrypted POSTs to GitHub Issues from non-developer endpoints. Detect the VS Code tunnel pivot by alerting on 'code tunnel user login' from any account without a documented dev workflow. Audit corporate GitHub OAuth grants. Consider removing VS Code from non-developer endpoints entirely.